Knowledge Search


[ScreenOS] What is an ALG (Application Layer Gateway)?

  [KB13530] Show Article Properties

This article provides information about ALG (Application Layer Gateway).
Information about ALG (Application Layer Gateway).

An application layer gateway (ALG) is a feature on ScreenOS gateways that enables the gateway to parse application layer payloads and take decisions on them.  Although there are other ScreenOS features, such as deep inspection, in which the gateway inspects traffic at the application layer, ALGs are typically employed to support applications that use the application layer payload to communicate the dynamic Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports on which the applications open data connections. Such applications include the File Transfer Protocol (FTP) and various IP telephony protocols. The dynamic TCP, UDP, or other ports that are opened by the ScreenOS gateway to permit these data or secondary channels are referred to as pinholes, and are active strictly for the duration of activity on the data channel.

An ALG implementation requires a ScreenOS gateway to inspect the application layer payload of a packet and understand the application control messages. An enabled ALG automatically kicks in and performs application layer inspection and the dynamic opening/closing of TCP/UDP ports as well as the associated network/port address translation when a ScreenOS security policy that uses its associated service is referenced with matching traffic. For instance, a policy that references the FTP service on its default TCP port will automatically use the FTP ALG as long as the FTP ALG is enabled globally or for that particular policy on the ScreenOS gateway.

You also can configure ALGs to be triggered when an ALG-supported application is running on a non default, custom port. ScreenOS gateways ship with a wide range of available ALGs. Support for new ALGs is frequently added with new releases of ScreenOS. Additionally, ScreenOS offers a rich suite of ALG debugging capabilities that show ALG hits and dynamic pinholes being opened on the gateway.

Note: This exerpt is used by permission of the publisher, O'Reilly Media, ©2008. All rights reserved. Excerpted from ScreenOS Cookbook, by Stefan Brunner, Ken Draper, David Delcourt, Joe Kelley, Vik Drakar, & Sunil Wadhwa.  ISBN: 0596510039.

To check the ALGs on a ScreenOS device, refer to KB13509 - Viewing list of ALGs and disabling an ALG differs on ScreenOS versions.

To check the ports that trigger the ALG, refer to KB8604 - Which ports will trigger the ALG (Application Layer Gateway) in ScreenOS?
Related Links: